In Senate hearing, Uber CISO admits company messed up in not quickly disclosing breach that exposed data on 57 million people.

A senior US lawmaker Tuesday slammed ride-hailing giant Uber for not promptly disclosing a November 2016 breach that exposed personal data on 57 million people, choosing instead to pay $100,000 to keep the two perpetrators of the theft silent.

At a hearing before the Senate Committee for Commerce, Science & Transportation, Sen. Richard Blumenthal (D-Conn.) described Uber's action as "morally wrong and legally reprehensible."

Uber's payoff violated not only the law but also the norm of what should be expected in such situations, Blumenthal said. "Drivers and riders were not informed and neither was law enforcement. In fact, it was almost a form of obstruction of justice."

Uber CEO Dara Khosrowshahi last November disclosed that the company had a year ago quietly paid two hackers $100,000 to destroy data they had stolen from a cloud storage location. The compromised data included names and driver's license information for some 600,000 Uber drivers in the US, and also the names, email addresses, and cellphone numbers of some 57 million Uber riders and drivers worldwide in total.

Khosrowshahi claimed he learned of the data breach and the payoff only just prior to disclosing it and vowed to make changes to ensure the same lapse would not happen again. He also disclosed that Uber had fired CISO Joe Sullivan and another executive who had led the response to the breach.

In testimony before the Senate Committee Tuesday, Uber CISO John Flynn admitted the company had made a mistake in not disclosing the breach in a timely fashion. But he claimed the primary goal in paying the intruders was to protect the stolen data.

"I would like to echo statements made by new leadership, and state publicly that it was wrong not to disclose the breach earlier," Flynn said. There is no justification for Uber's breach notification failure, Flynn candidly admitted. "The real issue was we didn't have the right people in the room making the right decisions."

According to Flynn, Uber first learned about the breach on November 14, 2016, when one of the attackers sent an email informing the company that its data had been accessed. The attacker demanded a six-figure ransom payment for not leaking the data.

Uber security engineers were quickly able to determine the thieves had accessed copies of certain databases and files stored in a private location on Amazon's AWS cloud.

The attackers had apparently managed to gain access to the data using a legitimate credential that they found within code on a repository for Uber engineers on GitHub. The discovery prompted Uber to take immediate measures like implementing multifactor authentication on Github and across the company and adding auto-expiring credentials to protect against similar attacks.

In response to questions, Flynn admitted that Uber's decision to pay the $100,000 ransom amount, as a bug bounty, was a mistake as well. Like many other companies, Uber runs a vulnerability disclosure program that offers cash rewards to white-hat hackers who find and report exploitable security bugs in its services. HackerOne has been managing Uber's bug bounty program since 2018.

Blumenthal and Sen. Catherine Cortez Masto (D-Nev.) wanted to know why Uber had decided to pay the attackers the demanded $100,000 in the form a bug bounty. Both lawmakers pointed out that the actions by the two individuals was criminal in nature and not something that anyone would consider as responsible bug disclosure activity.

"The key distinction is they not only found a weakness but also exploited it in a malicious fashion to access and download data," Blumenthal noted. "Concealing, it in my view, is aiding and abetting the crime."

Masto expressed some incredulity that Uber would try to point malicious attackers to its managed bug bounty program in the first place. "So there was a criminal element trying to get into your data...and you are trying to put them on the right path?" she asked.

Flynn admitted that the intruders in this case were fundamentally different from usual bug hunters. He claimed that Uber decided to use the bug bounty program only as a means to gain attribution and assurances from the attackers. "We recognize that the bug bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company," he noted.

Casey Ellis, founder of managed bug hunting service Bugcrowd, said today's hearing shines a spotlight on the ethics of Uber's response. "This was not a bug bounty payout. This was extortion, and the difference between the two is unambiguous."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

The actions and inactions of Uber speak for themselves. Sadly, congressional hearings have become less about fact-finding, than serving as a stage for politicians to coddle or condemn witnesses, in order to impress their constituencies, or further a partisan agenda. Authors would be wise to filter the facts from the commentary and posturing.

As sound as the accusations against Uber may be; find a better judge of what is "moral" than CT's senator; his moral compass infallibly points in the direction of the TV cameras, and spins away from ever pointing out his own failures of judgement, or those of his compatriots. [lifelong CT resident - unaffiliated voter]

Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.

Published: 2017-05-09NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.